GPSolo Magazine - December 2005

Phishing, Pharming, and Other Scams

By J. Anthony Vittal

Are there any e-mail users who have not by now received an alarming message from a bank, brokerage house, or online retailer claiming that something is potentially wrong with their account necessitating immediate action? Welcome to the world of phishing. The Anti-Phishing Working Group ( www.antiphishing.org) defines phishing as

a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering schemes use “spoofed” e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as account usernames and passwords. Hijacking brand names of banks, e-retailers, and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware [i.e., spyware, viruses, etc., that steal information from you to enable you to be victimized financially] onto PCs to steal credentials directly, often using key logging systems to intercept consumers’ online account usernames and passwords.

One of the more creative phishing e-mail messages is illustrated in Figure 1. If you didn’t have a Washington Mutual account, you would dismiss this e-mail out of hand. If you did, however, you might be tempted to respond—if for no reason other than to determine who is Gary Edwards (the person for whom the reservation ostensibly was made)—unless you stopped for a moment to question the validity of the message.

This message is actually a phishing expedition, as the following clues reveal. First, the language is arcane. When was the last time you were addressed in an e-mail as a “respected member” of your financial institution? Second, you would expect an online payment transaction through Expedia to process automatically. Third, the grammar is odd for a letter claiming to come from an American institution: You would expect the text to read “a five-day reservation” (not “a 5 days reservation”) and “a Five-Star Hotel” (not “a Five Stars Hotel”). Finally, note the link at the bottom of the window—it does not point to the Washington Mutual website (www.wamu.com), but instead to dmswebsolutions.com, which clearly has no connection to Washington Mutual. You certainly would expect an interstate financial institution to refer you back to itself, not a third-party domain, and you would expect the institution to provide you a means of contacting it if you had any questions, rather than telling you not to reply to the message.

Figure 2 presents another phishing e-mail, this one claiming to come from Amazon.com. The tip-off here is the URL in the link: www.amazon.com@mdelas.com. Because domain name servers look for the top-level domain at the end of the address or immediately to the left of the first “/” symbol, the link points to mdelas.com, not to amazon.com.

These messages all share a common goal—to prompt you to visit the linked website, where you will be asked for sufficient personal identifying information about yourself to enable the phishers to access and raid your account(s). The phishers all rely on the trust you have developed in the institutions with which you deal online. In some cases, the e-mail may appear to come from a government agency, including one of the federal financial institution regulatory agencies. Many of the more sophisticated phishers even include links in their messages to legitimate portions of the actual institution’s website—such as the privacy policy and the terms of use.

Phishing does not only have an adverse effect on consumers. Because phishing directly challenges the bond of trust between a brand and its customers, phishing is stunting the brands’ marketing efforts and their ability to expand these online business channels.

The economics of phishing explain its popularity among thieves. Mailing lists are readily available on the Internet for a relatively small investment. Phishers then run their messages through unsecured networks and proxy servers to hide the source information on their messages. It takes only a few “bites” at the bait to recover all of the costs incurred and to turn a profit. Even worse, some of the phishers are using their fake websites to deliver a Trojan horse backdoor program to your computer designed to give the phisher remote control of it, allowing access to all of your unencrypted data and enabling the phisher to use it to send more malicious messages.

According to the Anti-Phishing Working Group, the number of unique phishing reports received in August 2005 (the most recent month for which data was available when this article was written) was 13,776, up from 2,854 reports received in April 2005. There were 5,259 new phishing sites—attacking 84 different brands—reported during August, up from 4,564 new sites reported in July. The August report reveals other key data:

The financial services industry is the primary target of phishers, representing 84.5 percent of all attacks.

Internet service providers (ISPs) represent the second-largest target group, with phishers attempting to fool consumers into believing their Internet service will be terminated unless their credit card and other personal information is updated.

As the major banks and other major financial institutions are aggressively responding to phishing directed at their customers, phishers are diversifying, attacking the customers of very small financial institutions all over North America and Western Europe at an increasing rate.

Although the U.S. remains the principal host to phishing websites (27.9 percent), China (12.15 percent) and the Republic of Korea (9.6 percent) follow. Rounding out the top ten are France, Japan, Germany, Australia, Russia, Canada, and Sweden.

The U.S. continues to be the principal host to websites hosting crimeware (40 percent), but Brazil (15 percent) and Spain (12.5 percent) have developed a sudden popularity. They are followed by China, the Republic of Korea, the U.K., Russia, Germany, Romania, and Italy.

Phishers are becoming more focused. In August, the top 80 percent of all phishing campaigns targeted only 3 brands, down from 7 brands in April.

There is one thing you have to remember when presented by a phishing e-mail: Legitimate businesses never request that you update your account and give personal information in this fashion. In addition, legitimate businesses and others, such as the Anti-Phishing Working Group and Identity Theft 911 ( www.identitytheft911.org) track these phishing exploits and disclose them on their websites. If you ever get one of these messages, never activate the link in the message. Instead, navigate to the institution’s own website the way you usually do and look for its materials on phishing. (For example, if you had received the e-mail in Figure 1, you should go directly to the Washington Mutual website, www.wamu.com/securityandprivacy/security.htm#Phishing.) Forward a copy of the message to the institution, showing all headers (e.g., to spoof@wamu.com) with a copy to the Federal Trade Commission at spam@uce.gov.

Here is some further advice from the FTC’s Office of the Comptroller of the Currency:

Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.

If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and websites on the monthly statements you receive from your financial institution, or you can look up the company in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.

Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.

According to the FTC, advance-fee fraud has been around for decades, but it seems to have reached epidemic proportions. These scams are not limited to people masquerading as Nigerians—they now claim to come from other African and Asian nations as well—but the common name “Nigerian advance-fee scams” has stuck. (They are sometimes called “419 scams,” after the provision of the Nigerian Criminal Code.) Some consumers have told the FTC they are receiving dozens of offers every day from foreign nationals politely promising big profits in exchange for help moving large sums of money out of their country. Apparently, many compassionate consumers are continuing to fall for the convincing sob stories, the unfailingly polite language, and the unequivocal promises of money. The text from one that I received in mid-October is reproduced in Figure 3 on page 28.

These advance-fee solicitations are scams, and the scam artists are playing each and every consumer for a fool. The schemes work like this:

Claiming to be government officials, businesspeople, or the surviving spouses or children of former government honchos, con artists offer to transfer millions of dollars into your bank account in exchange for a small fee. If you respond to the initial offer, you may receive “official looking” documents. Typically, the target then will be asked to provide blank letterhead and bank account numbers, as well as some money to cover transaction and transfer costs and attorney fees.

The target may even be encouraged to travel to a country outside the U.S. to complete the transaction. Sometimes, the scammers will produce trunks of dyed or stamped money to verify their claims. Inevitably, though, emergencies come up, requiring more of the target’s money and delaying the “transfer” of funds to the target’s account. In the end, there are no profits to share, and the scam artist has vanished with the target’s money.

If you ever are tempted to respond to one of these offers, the FTC suggests you stop and ask yourself two important questions. Why would a perfect stranger pick you—also a perfect stranger—to share a fortune? Why would you share your personal or business information, including your bank account numbers (sometimes they even ask for your client trust account information), or your law firm letterhead with someone you don’t know? In addition, the U.S. State Department cautions against traveling to the destinations mentioned in the letters. According to State Department reports, people who have responded to these advance-fee solicitations have been beaten, subjected to threats and extortion, and in some cases murdered.

If you receive an offer via e-mail from someone claiming to need your help getting money out of Nigeria—or any other country, for that matter—forward it to the FTC at spam@uce.gov and remember the old adage—“There ain’t no such thing as a free lunch.”

Other 419 Scams

Working on the same “social engineering” principles as the Nigerian advance-fee scams, other so-called 419 pitches involve lotto schemes, prize claims, and other forms of fee solicitation initially delivered by e-mail (see Figure 4 on page 30). Some of them are very creative, offering to donate a substantial portion of your “winnings” to charities of your choice to increase the probability of your response. Once again, remember “There ain’t no such thing as a free lunch.”

Pharming

The most insidious of the new schemes is “pharming.” In essence, a pharmer uses a vulnerability in a Domain Name System (DNS) to fool it into directing traffic destined for a legitimate website to the pharmer’s illegitimate site—which looks just like the real thing. To understand this, you need to understand how the DNS works. A URL for a website (e.g., www.credit.com) is the equivalent of a name in a telephone directory. To connect to a party on the phone, you need to find the telephone number by looking up the name in a phone book. To connect to the computer associated with the URL (in this case, www.credit.com), you need its IP address (e.g., 64.127.114.195); the DNS acts like an automated phone book, providing your computer the IP address. Pharming intercepts this transaction and substitutes a false IP address in place of the real one, and traffic gets redirected.

Pharming attacks principally come in two varieties:

In a “DNS poisoning” attack, a hacker breaks into one or more DNS servers (e.g., those operated by an Internet service provider) and replaces legitimate IP addresses stored in the server’s cache with the IP addresses of bogus websites controlled by the hacker. Because these bogus websites typically appear to be clones of the legitimate websites, the user has no way of knowing anything is wrong. As a result, the operators of a phony banking site could easily capture usernames and passwords for every account holder who is unknowingly redirected there.

An attacker can plant a virus, a Trojan horse, or some other malicious software on your computer. That program may capture and transmit your keystrokes, change your bookmarks and cookies, or change network settings to lead you to a fraudulent clone of the intended website. Once again, the crooks can extract a treasure trove of personal and account data from their unsuspecting visitors.

This danger is scarcely hypothetical. For example, according to the SANS Internet Storm Center:

A pharming attack in early March 2005 redirected visitors from at least 1,300 Internet domains to the compromised web servers. Log data from the compromised servers showed that the redirected requests came from more than 900 unique Internet addresses. In addition, more than 75,000 e-mail messages were redirected.

Another round of pharming attacks in late March involved a DNS server, controlled by crooks, that presented itself as the authoritative DNS server for the entire .com top-level domain (i.e., for all .com addresses). Because the DNS is designed to have all DNS servers talk to each other to keep the system up to date, other DNS servers were “poisoned” with the false IP address information, and they redirected all .com address requests to the crooks’ pharm.

The Troj/BankAsh-A virus, delivered via attachments to spam e-mails, diverts users of such online banking sites as Barclays, HSBC, Lloyds TSB, and NatWest to pharming sites. The attack is triggered by the virus itself, which lies in wait until victims try to visit their banking sites. Once the victim enters a username and password, the corresponding account is automatically emptied, and the funds are routed to the crooks’ offshore accounts.

Another variant of pharming is index hijacking. In this scheme, pharmers spoof search engines (e.g., Google, Yahoo) so that search results include links to phony websites that exist solely to download crimeware onto your system.

One way to avoid being pharmed is to use IP addresses instead of domain names when conducting online financial transactions. To do this, do a WhoIs search at Network Solutions (www.networksolutions.com) and determine the IP address for your bank(s) and/or brokerage firm(s). Then create a bookmark for each bank and/or brokerage firm using its IP address (e.g., http://151.151.88.133) instead of its domain name (e.g., www.wellsfargo.com). By doing this, you will bypass the DNS system and be routed directly to the relevant IP address. This will protect against the rerouting done by traditional pharming but will not protect against the data capture activities of crimeware installed on your system. To combat such crimeware, rely on firewall, antivirus, and anti-spyware software. (See the article “Spyware: Exorcising the Demons” on page 18 for some software recommendations.)

Conclusion

Don’t let these exploits intimidate you. Safe computing is like anything else—it requires your vigilance and thoughtfulness to be successful. Stated simply, be suspicious, be proactive, and use an appropriate mix of prophylactic software. With this information, you should be able to avoid being ripped off. Forewarned is forearmed.

J. Anthony Vittal is general counsel of Credit.Com, Inc., in San Francisco, California. He speaks and writes frequently on legal technology topics and can be reached at tony.vittal@abanet.org.

Please With all sincerity my name is Mr. Martin Abad, a practicing financial Services consultant representing the late Mr. Saad Mohamade , my late client who died Recently during the Tsunami flood disaster in Asia, leaving some estate funds amounting (10.5 million Dollars) deposited with a finance and self-deposit firm in Spain.

Since he died, I have received from his Finance house, an order of MANDAMUS, mandating me to locate any of his relatives/confidant for purpose of preparing fund if there is no response to this them to receive the deposited sum. However, the fund may be donated to trust mandamus within the period the Finance house permitted the search. I am currently in Madrid and I decide to seek your collaboration in confidence.

To permit me present you to the Finance house as the beneficiary/next of kin to the deceased. There is evidence to back up our claims on presenting you as the only rightful beneficiary to the fund/money. All I require is your cooperation to work it out. I guarantee that this will be executed under a legitimate arrangement that will protect you and me from any breach of the law.

Please reach me with your personal details. I will be sending you the transaction details immediately. I repeat I have covered every legal side of the transaction. Respond most be urgent. I anticipate your urgent response to enable us meet the required date.

This is to congratulate you over your success in our computer balloting sweepstake held on 17th October,2005 in which your email address attached to ticket number LNT456780909893 and drew the lucky numbers 4-10-12-55-25-87,batch number 4978/NL, serial number IL/PLW/18-C0547671754 and consequently won the sum of U.S $1million dollars from the total prize money of $15,800,000 shared among the seventeen international winners. This is a millennium scientific computer game in which email addresses were used and it is a promotional program aimed at encouraging internet users;so you do not need to buy a ticket to enter for our online lotto program. Note that this program was sponsored by a group of Millionaire philanthropist,and headed by the Netherlands government. This email is not one of those numerous lotto email scams you might have received in the past which always require you to sign out a blank cheque or give out your bank information in order to perpetrate their illicit lotto scams. Please note that this winning is very real and legitimate and your exercising good faith in this our lottery program will enable us remit your winning funds to you in your preferred mode of payment without any further delay. Therefore,to confirm the legitimacy of our lottery program, the below website is one of the websites we are running over the internet concerning our lottery programs in the Netherlands. http://www.lotto.nl/lotto/execute/intro?node=lottointros&default=lottorootnode&ad=0

However,to begin your claim,being non-netherlands resident or citizen,you are required within five days to officially notarize your winning claim at the Dutch Court of Justice in the Netherlands to sign the Release Order and the clearance papers that will enable the paying Challet Consulting Agency release your winning funds to you. But in case you cannot come to the Netherlands within the stipulated two days,do inform your claim officer to make proper arrangement regarding your claim notarization. Once your claim is fully notarized and a copy of the Notary receipt from the court is forwarded to us,we will provide you with your Award winning Certificate. Please for more information concerning the claim of your winning funds,we advise you to forward a confirmation email to your claim officer at the paying Challet Consulting Agency and as well follow their claim instructions. Below is the contact details of your claim officer:

Conclusively, Allwin Lotto is not a scam organization therefore this mail should not be treated as a scam scheme or be taken for granted,we are backed up by the appropriate lottery law in the Netherlands and only the successful winners in this our online lotto program receive this congratulation mail and because you won that is why this mail is being directed to you. Remember that all prize money must be claimed not later than 7 working days. After the last day, all funds will be returned as unclaimed.

Congratulations once again from our team of staff and thank you for being part of our promotional program.